Three Buddy Problem

LLMs writing exploits, engineers losing skills, and a case for the generative OS

(Presented by TLPBLACK: High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.) Three Buddy Problem - Episode 92: Costin walks through real-world ransomware incident response while Juanito makes the case for AI-generated operating systems that never run anyone else's code. Plus, debates on whether vulnerability research is cooked, why nobody should pay ransoms, and what the security industry looks like after the massive AI flood. Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu. 0:00 – Introductory banter 2:00 – Costin's ransomware incident response work 3:30 – How attackers break in: Fortinet vulnerabilities everywhere 6:30 – Hunting for ransomware decryption keys 9:00 – Breaking into ransomware C2s and monitoring leak sites 12:00 – The ransom payment debate: should you ever pay? 16:00 – Why "don't pay the ransom" is overgeneralized 21:00 – How ransomware gangs price their demands 24:00 – The AI-pilling of the security industry 28:30 – Nicholas Carlini, Ptacek, and "vulnerability research is cooked" 35:00 – Towards a generative-first operating system 41:00 – Code factories, trusted computing, and killing dependencies 48:00 – Microsoft and Apple's AI positioning 56:00 – Chris St. Myers' "Cognitive Rust Belt" essay 1:18:00 – Choice, The Matrix, and the illusion of control 1:38:00 – Supply chain attacks, North Korea, and dependency sprawlLinks:TranscriptNicholas Carlini - Black-hat LLMsPtacek: Vulnerability Research Is CookedChris St Myers: Why Organizations Are Confusing Temporary Friction with Permanent SafetyDan Geer: Children of the MagentaCalif: Month of AI-Discovered BugsClaude Wrote a Full FreeBSD Remote Kernel RCE with Root ShellInternet Bug Bounty Pauses Bug Bounty Program Node.js Bug Bounty Program Paused Due to Loss of FundingElastic: How we caught the Axios supply chain attackElastic tool: supply-chain-monitor Apple Will Push Out Rare ‘Backported’ Patches to iOS 18 UsersWhatsApp Alerts 200 Users After Fake iOS App Installed SpywareThe Human-Machine TeamArsenal Recon ToolTLPBLACK

Jeremy Banon: Personal Exec Compromise as Corporate Incident

(Presented by TLPBLACK: High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.) Security Conversations: Jeremy Bannon, founder/CEO of The Cyber Health Company, joins Ryan Naraine to discuss why executive personal cybersecurity is a growing blind spot for organizations, and real-world incidents where personal compromises became corporate crises. Plus, why CISOs struggle to secure the C-suite's personal lives, and how a healthcare-inspired model (complete with risk scores, care plans, and concierge support) can help companies close the gap. 0:00 — Introduction to The Cyber Health Company 1:00 — Why personal security is a blind spot for organizations 2:00 — Real examples: Disney hack, Instagram compromise, productivity loss 6:50 — Executives circumventing IT policy and Shadow-AI 8:43 — Digital immunity: resilience and incident response readiness 10:25 — The healthcare model for cybersecurity communication 12:14 — How the Cyber Health Score and risk coefficient work 15:34 — OSINT intake: why your social security number isn't private 17:26 — The state of executive security hygiene and the concierge model 35:00 — AI, deepfakes, and the scaling of commodity attacksLinks:TranscriptTLPBLACKThe Cyber Health CompanyIran-linked hackers breach FBI director's personal emailDisney to stop using Salesforce-owned Slack after hackJefferies says CEO Handler's Instagram account hackedJeremy Banon on LinkedInJeremy Banon on X/Twitter

Google's Cyber Disruption Unit; Coruna is Triangulation, US Bans Foreign-Made Routers

(Presented by TLPBLACK: High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.) Three Buddy Problem - Episode 91: This week we dig into Google's new cyber threat disruption unit announced at RSAC, Kaspersky confirming Coruna is a direct evolution of Operation Triangulation, and a cascading supply chain compromise that chained through LiteLLM, Trivy, and Checkmarx into thousands of software pipelines. Plus, VCs and the breathless AI hype, Apple's iOS 26.4 and silent patches, the FCC's ban on foreign-made routers, and Symantec catching an APT looking for Chinese military data. Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu. 0:00 Intro & Pre-Show Banter 3:08 JAGS in San Francisco: RSAC week recap 6:05 Google Launches Cyber Disruption Unit — What's Actually New? 13:43 Why Separate Disruption Units Matter: ROI & Budget Justification 29:11 Haroon Meer's RSA Reality Check: The AI Hype Machine 32:37 The VC Ponzi Cycle & How Easy Money Hollowed Out Cybersecurity 47:32 ENT.ai & Tenex AI Hackathon at RSAC 53:08 Kaspersky Links Corona Exploit Kit to Operation Triangulation 1:08:09 Trenchant Cleanup & Lessons from Equation Group Burns 1:19:31 Apple iOS Patches, Hong Kong Device Passcode Law 1:27:53 Handala Hacks FBI Director Kash Patel's Personal Gmail 1:37:32 LeakBase Admin "Chucky" Arrested in Russia — FSB Gets the Data 1:45:38 Supply Chain Attacks: TeamPCP Hits LiteLLM & Trivy 2:04:34 FCC Bans Foreign-Made Routers — But What Do We Buy?Links:TranscriptTLPBLACK SolutionsGoogle launches threat disruption unit at RSACWhite House downplays cyber ‘letters of marque’ speculationHaroon Meer on RSAC 2026Kaspersky on Coruna/Triangulation ConnectionApple Security Bulletin - iOS 26.4Reverse engineering Apple’s silent security fixesNew Hong Kong Law on Phone/Laptop PasswordsIran-linked hackers breach FBI director's personal emailUS DOJ Disrupts Iranian Cyber Enabled Psychological OperationsOfficial Statement on Stryker Network DisruptionRussia arrests Leakbase adminTrivy ecosystem supply chain compromised (Advisory)Self-propagating malware poisons open source software and wipes Iran-based machinesNew Malware Targets Users of Cobra DocGuard SoftwareFCC bans 'foreign made' consumer routers (PDF)

The greatest APT hunter of all time, Apple's exploit kit problem, Microsoft FedRAMP mess

(Presented by Thinkst Canary: Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With zero admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.) Three Buddy Problem - Episode 90: We remember GReAT teammate Sergey Mineev, the legendary malware hunter behind discoveries like Equation Group and Project Sauron (Remsec), including stories about his methods and why he was the best to ever do it. Plus, another in-the-wild iOS exploit kit discovery and a long overdue conversation about Apple's responsibility to hundreds of millions of users on older iOS versions; the ProPublica Microsoft/FedRAMP bombshell, Interlock ransomware sitting on a Cisco zero-day, the White House AI policy framework, and Supermicro co-founder $2.5 billion AI chip smuggling bust. Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.Links:Transcript Thinkst CanaryEquation Group: The Crown Creator of Cyber-EspionageThe Project Sauron APTGoogle: The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat ActorsiVerify: Inside DarkSword - A New iOS Exploit Kit Delivered Via Compromised Legitimate WebsitesLookout: Attackers Wielding DarkSword Threaten iOS UsersApple statement on Coruna, DarkSwordAmazon discovers Interlock ransomware hitting enterprise firewallsCisco Secure Firewall Management Center RCE FlawCISA Urges Endpoint Management System Hardening After Stryker AttackStryker statements on wiper network disruptionFederal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.White House Unveils National AI Legislative FrameworkSupermicro Founder Charged with Diverting AI tech to ChinaNEBULA:FOG 2026 | AI x Security Hackathon

Handala wiper attacks, APT28 implant devs are back, Signal's verification problems

(Presented by TLPBLACK: High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.) Three Buddy Problem - Episode 89: We discuss Iran hacktivist group 'Handala' wiper attacks against US medical device maker Stryker, Microsoft Intune MDM tool abuse, and whether Iran's cyber retaliation is as scary as the headlines suggest. Plus, ESET's discovery that Russia's APT28 original implant developers are back after years of silence, Dutch intelligence warnings on Russian campaigns targeting Signal and WhatsApp accounts, Apple finally patching Coruna exploit kit vulnerabilities for older iPhones, and Google sharing Coruna samples that raise new questions about the exploit kit's proliferation chain. Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.Links:Transcript (raw, AI-generated)TLPBLACK SolutionsKim Zetter: Iranian Hacktivists Strike Medical Device Maker Stryker in "Severe" Attack that Wiped SystemsStryker Cyberattack Adds to Fears of New Front in Iran WarBloomberg: Cyberattack Hits Stryker; Pro-Iran Group Claims CreditWho is Handala? (Malpedia)Palo Alto: Increased Risk of Wiper AttacksCISA Advisories on Iran State-Sponsored Cyber ThreatRussia state actors targets Signal and WhatsApp accountsDutch intel report on Signal, WhatsApp targetingSignal responds to Dutch Intel reportESET: Resurgence of one of Russia’s most notorious APT groupsPoland says foiled cyberattack on nuclear centre may have come from IranApple ships iOS 16.7.15 to cover 'Coruna' exploitsApple iOS 15.8.7 covers 'Coruna' exploit kitDetection Engineering #148NEBULA:FOG 2026 | AI x Security HackathonEkoparty Miami (May 21-22, 2026)PIVOTcon Agenda